Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Script Submission: HTTP NTLM Information Disclosure
From: Daniel Miller <bonsaiviking () gmail com>
Date: Fri, 07 Feb 2014 12:13:01 -0600

On 02/06/2014 02:55 PM, nmap user wrote:
Hi Daniel,

Thanks for the feedback.

Attached is the revised code leveraging the smbauth.get_host_info_from_security_blob() function where possible.

As for logging -- within IIS, the script event is logged as '401' (Unauthorized), the same as if a web browser visited the page with NTLM authentication enabled. When anonymous access is permitted to the web server this request is simply logged as a '200' (since NTLM auth is disabled).

Thanks,
Justin

Justin,

Thanks for that. It looks like this may be a good candidate for the default category. The script is looking great, too. I made a couple minor changes and committed this in r32706.

1. I renamed the script to http-ntlm-info to match similar -info script names.

2. I expanded the base64 NTLM authentication blob so that folks can see what they are actually sending (and possibly change it in the future without redoing a packet capture). A cleaner alternative would be replacing auth_blob with a call to smbauth.get_security_blob(), but since that doesn't include the OS information (an older way of doing it), I stuck with your well-tested string.

Dan
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]